ATM security: Banks, firms must stay a step ahead

WHEN cyber-criminals are intent on exploiting vulnerabilities in the security surfaces of financial institutions, ATM systems can serve as primary access points. While "smash-and-grab" attacks on ATMs are nothing new, in the rapidly-evolving world of cyber crime, cash machines are now a focus for operatives aiming to siphon bounty ranging from customer data to old-fashioned cash.

The Asia-Pacific is still a region dominated by the use of cash. According to Retail Banking Research (RBR), while the number of ATMs installed worldwide grew by 3 per cent to 3.3 million in 2016, the number of these machines grew 6 per cent in region, and now accounts for just over half of all terminals worldwide. This share is expected to rise further in the coming years, to 54 per cent by the end of 2022.

Although cases of robbery or people getting mugged at ATMs are relatively rare, particularly in Singapore, ATM fraud has actually been a growing phenomenon for a few years now. In 2011, a syndicate cheated DBS customers of more than S$1 million by skimming PINs at two ATMs in Bugis. Then in 2016, two Romanian men were jailed for up to three years for stealing S$75,000 from ATMs by using cloned cards. And last September, a Chinese man was jailed for three years for possessing equipment to make cloned ATM cards.

This ATM threat is not physical, but in the world of cyber crime. Last year, the FBI issued a warning about an imminent global cyber-attack on commercial bank ATMs. Known as an ATM "cashout", the pre-empted attack centred on the hacking of a bank or payment processor to enable the fraudulent withdrawal of funds using cloned cards. This is typical of a sophisticated hack that can impact consumers directly while derailing the operations of banks and businesses.

Over the past decade, ATM malware has developed rapidly. The European Union Agency for Law Enforcement Cooperation, known as Europol, highlighted this emerging threat and warned that incidents of ATM targeting are likely to become more common.

In addition, according to a report by Marsh & McLennan, the Asia-Pacific offers an ideal environment for cyber criminals to thrive because of its high digital connectivity and its low cyber security awareness, growing cross-border data transfers and weak regulations.

It also revealed that business revenues lost in the region due to cyber attacks amounted to US$81.3 billion in 2015. And while cyber security solutions can deal with infrastructural vulnerabilities, ATM hardware and operating systems often remain a particular weakness.

ATM attacks fall into two categories: physical or logical. In a physical attack, the perpetrator is present before, during or after the crime. It involves the use of physical force to compromise the machine; this still occurs in some parts of the Asia-Pacific.

Logical attacks generally involve malware and specialist electronics to gain control of the ATM and access to customer data and funds.

SKIMMING THE TOP

Theft at the ATM interface is becoming more sophisticated and profitable. ATM manufacturer Diebold Nixdorf says ATM "skimming" now has a global cost exceeding US$2 billion. Skimming is the act of siphoning customer data at the ATM using hardware that mimics the appearance of legitimate machine components. The technology needed can easily - and legally - be purchased online.

While methods and components vary greatly, skimming hardware is now more discreet and effective, and is often virtually impossible to spot. Some equipment is now as thin as a credit card and can be installed in the ATM's card slot. Once operational, the "skimmer" can siphon the card details of unwitting consumers - sometimes directly to the perpetrator's mobile via Bluetooth.

The most sophisticated form of logical ATM attack is referred to as "cashout" or "jackpotting". This approach involves infecting an ATM with malicious software. For instance, an early form of this type of attack involved the transfer of malware to the ATM on a USB through an interface portal. Modes of infiltration have since become more effective and require even less involvement by the hacker.

As research by the European Association for Secure Transactions (East) has found, "black box" ATM attacks have been on the rise in Europe. To perform this type of jackpotting attack, the perpetrator connects a device known as a "black box" to the ATM's "top box", or the interior of the machine. The device then reverts the machine to supervisor mode and dispenses cash.

This is another increasingly popular tactic in the Asia-Pacific. In 2016, a group of hackers in Japan stole US$13 million from ATMs in a three-hour, 14,000-withdrawal transaction spree; in Taiwan, hackers breached a major domestic bank in July the same year and used malware to withdraw more than US$2 million from dozens of ATMs. A similar crime occurred last August, in which an India-based bank system was hacked via a malware attack on its ATM server and nearly US$13.5 million was successfully siphoned off.

Financial gain is the motive behind 90 per cent of all cyber attacks, and unsecure ATMs present a soft target for criminals. Hackers are constantly looking for vulnerabilities across the spectrum of bank IT infrastructures and endpoints. And while banks safeguard against sophisticated phishing attacks across other areas of the network, they cannot afford to ignore the dangers ATMs are prey to. Hackers often view ATMs as easy access to a bank's infrastructure. And while unauthorised access might not always be preventable, restricting the extent of this infiltration is key.

HIJACKED EMPLOYEE CREDENTIALS

For example, hacking using hijacked employee credentials has become prevalent in recent years. This issue can be mitigated by centrally securing privileged credentials, with multi-factor authentication and controlling network access based on need. Thus, hackers are restricted in terms of their mobility through the environment and the extent to which they can compromise security controls and access capital.

Moreover, there is an onus on banks to constantly monitor for threat risks. This should involve a holistic approach to how vulnerabilities are identified and should include ATMs as a first line of defence. By constantly monitoring events and patterns, it becomes easier to spot irregularities and unusual activity - for instance, those originating from the unauthorised use of employee credentials. If vigilance is consistent, reaction times can become quicker to prevent the siphoning of data or access to cash funds by hackers.

Today, more than ever, there is a need for banks and businesses to recognise that ATMs require the same levels of rolling security provision and upgrading as every other aspect of their infrastructure. Like all other forms of cyber crime, ATM attacks are changing and adapting all the time. It is therefore essential for banks to understand this threat and to keep the integrity of their ATM security one step ahead.